However, from the surface, it appeared that this was not necessarily the case with AD1 files. Traditional forensic image files, such as DD, AFF or E01 files, typically contain the entire file system structure, including partition data, slack space, unallocated data, full file metadata, etc. Now as to exactly what a ‘forensic image container’ means in this context was the next phase of my research. The AD1 File FormatĪD1 files are an AccessData proprietary format described on their official blog as being a “ forensic image container” 1, meaning that they are not very well documented online, which is to be expected. Should anyone reading this know of a CLI tool or method that I am not aware of which can perform these extractions, please let me know. Interestingly, even after extensive searching online, I could not find a reliable way to extract AD1 data from the Linux command-line. Use another Windows-based forensic tool (like Paladin) to mount and extract the AD1 data.Load the AD1 image into FTK Imager and manually export the files.On Windows, the examiner has multiple options for extracting AD1 files, which include: However, they all recommended using Windows-based tools to export the data. Interestingly, I found a number of online forums discussing whether this was indeed possible 1, 2, 3, 4. Now, being that I am a Linux-based user, my first reaction was to ascertain whether there was a pre-existing way to extract an AD1 file without using the Windows Operating System. This challenge provides an AD1 file with which the player needs to analyse in order to answer a series of questions. To this end, I began working through some of the forensic challenges present on CyberDefenders, specifically the one named HireMe. Such challenges are not uncommon to see in the world of DFIR, and I have found them to be a very useful aide when teaching analysts how to interrogate disk images with forensic software. I began my exploration into the AD1 fiile format through a digital forensic challenge of all things. Therefore, the findings disclosed here should not be treated as an exhaustive, nor conclusive study into the AD1 file format, but rather a foundation with which to build upon. The research conducted into this file format includes observations made about the overall data structures, which are based on the results of experimentation performed against multiple samples collated solely for the purposes of this article. This format is also referred to as AD1 from their extension, and are generated by the popular digital forensics tool FTK Imager. This article will be covering my personal exploration and dissection of the proprietary AccessData image format known as the AccessData Logial Image.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |